Windows Repair (All In One) – Tweaking.com’s free utility to help you with a bunch of configuration tweaks all in one place. Updated. There is also a Pro ($) version available as well with more features.

As previously mentioned, I’ve disabled the EMET protection for “iexplore.exe” so they play nicely, but that strategy seemed to work fine.

However, when I installed EMET 5.2 on Lavie’s Win 8.1 x64 laptop, despite disabling/removing the EMET protection settings for Internet Explorer, the browser continued to hang while I hat Malwarebytes Anti-Exploit going.

I could run just EMET 5.2 OR just Malwarebytes’ AE but I decided I still like the idea of both so I ended up having to roll back to EMET 5.1 where I don’t have an issue when iexplore.exe is disabled.

I’m a bit late to the IE10/11 party for enterprise with the “Enterprise Mode” feature. We are still (yes) running IE 8 at the hot-dog factory and more than most in-house applications still require IE 8 platform compatibility – so here we stay for now. I’m hoping we can do some pilot testing of IE 11 and leverage these new IE technologies; Enterprise Mode, Enterprise site List, and Enterprise Site discovery. Hence the linkage below for additional research on my part.

Speaking of web-browsers and compatibility, careful and reflective readers of the GSD blog may recall quite the technical post (rant) a while back on Firefox and malware-detection/download monitoring that got my hackles all up and bothered.

As a Samsung SSD EVO 840 user (and loving every minute of that upgrade decision), I’m always on the watch for news updates on firmware of software upgrades, and here is some tantalizing news. According to the Samsung Magician software used to manage the drive, I’ve currently got the most current firmware available; EXT0BB6Q. So I’m watching these like a hawk.

INFO: Blogs, Sites & Social about Surface - Kurt Shintaku's Blog – I’m starting to familiarize myself with the Surface Pro 3 unit we got into the shop a while back. I’ve not fiddled with the stylus just yet, but the general usage is pretty straightforward. Kurt’s got some great linkage to additional blogs and sites for Surface Pro users so the best of these will be added into my RSS feed piles. The following in particular seemed quite good from a technical-support aspect (in contrast to product placement and cheerleading news).

Windows: Black screen after February 2015 Update – Borns IT and Windows Blog (Google Translated from original) – I’ve seen this more than a few times at work after Windows Updates going back to at least December. The updates go on, the system reboots, and just seems to “hang” on a black screen forever. Rebooting doesn’t help and no visual indications present to let you know “something” is happening on the system. Like Gunter Born says, my experience is with some patience and waiting (from a few minutes to hours) the system finally resolves what it is doing and the “loading Windows” graphics appear and the system comes up. I’ve had techs who were too impatient and couldn’t wait and just wiped/reimaged the system so there is that approach as well, but patience goes a long way. I just wish this trend would be addressed on the next round of Windows Updates. It’s annoying at the worst and frustrating at best.

Update Error 8024001F by Microsoft FREAK workaround – Borns IT and Windows Blog (Google Translated from original) – I’ve been watching and monitoring the FREAK situation but haven’t been posting on it here. That said, Gunter Born’s post is worth reading for sysadmins, even if you aren’t directly in charge of working on the FREAK issues in your shop. For some cribbing on FREAK see below:

How to Remove uTorrent’s EpicScale Crapware From Your Computer – How-To Geek – I can’t really fault uTorrent as the installer seems to clearly indicate an option to install EpicScale “add-on” software but one wonders how many people were paying attention carefully during the installation process. That’s how lots and lots of third-party “I don’t really want or need it” enhancement-ware packages get pummeled into users’ systems. Anyway…here’s the discussion summarized and how to get it off your system if you use uTorrent.

D-Link fixes the latest flaw in its routers, more patches on the way – Betanews – My DIR-655 router from D-Link is a hardware type “A” and as right now, I’m still running the most current (06/1/2013) firmware release version 1.37 so alas, no updates yet. Fingers crossed one will be offered in the near future. I’m not ready to pick up a new router yet as this one continues to work super-great and is more than fast enough.

DelFix deletes portable disinfection tools from your system automatically - gHacks Tech News – As someone who advocates use of free and portable adware and security tools, it’s nice to know there is a utility DelFix that can do some post-adware cleanup of the adware-cleaning software remnants. I like the concept but per Martin Brinkmann’s article on gHacks, it doesn’t currently offer a log advising you in advance what is going to get cleaned/nuked so you may be taking a risk to use it and I have to agree that I’d look forward to a future version that include some ability to review the actions to be taken (and selectivity accept them first) before execution.

Program launcher SyMenu integrates Nirsoft, Sysinternals and other programs - gHacks Tech News – I really like the SyMenu application. It is in my “projects” pile to fiddle with to see if it can help me manage my portable USB application folder. I’m sure it would do a wonderful job rather than my current method of just rummaging around in my utility folders for the tool I’m looking for. That said, it also includes the ability to integrate the NirSoft suite and the Sysinternals Suite. Pretty cool. Other tools that help with that process are:

Finally, every so often I drop in over at NoVirusThanks to check out some of their free tool offering and to see what they have been up to for new portable security and system utilities. Besides their free tools, they also offer some free network tools. Most may be replicated in other local utilities but it still may be worthwhile to bookmark them for reference just in case your USB stick isn’t handy.

What I failed to clearly explain in that list is the following potential “gotcha” one may trip over.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) – while generally very compatible both with Malwarebytes and Malwarebytes Anti-Exploit (MBAE) – seems to prevent smooth launching of the Internet Explorer web-browser when both are using default settings.

On both my Win 7 x64 and Lavie’s Win 8.1 x64 systems Firefox, Chrome/Chromium, and Vivaldi browsers all seem to work just fine with EMET and MBAE running…though I just keep to the default EMET configurations on install and don’t specifically add custom protection for Firefox/Chrome/Vivaldi to EMET. Internet Explorer (iexplore.exe) is included in the default EMET protection. And the free version of MBAE protects Firefox, Chrome, Internet Explorer and Opera browsers.

Many MBAE users recommend just skipping (or uninstalling) EMET but I find they do compliment each other nicely with the exception of Internet Explorer so I continue to run them together at the same time. With the following conditions noted below.

On Lavie’s Windows 8.1 system I actually - though great trial and error – arrived at a combination of EMET iexplore.exe protection feature checks/unchecks to get IE running smoothing with no issues along site MBAE. (When I can get Lavie’s laptop away from her, I’ll update this post with a screen shot of her Windows 8.1 MBAE configuration.)

On both my Windows 7 systems I just punted and disabled EMET protection for Internet Explorer entirely as I almost never use IE myself and will just trust MBAE to cover the EMET opening I’ve created with that strategy.

Likewise if you have the paid version of MBAE, you could optionally disable the IE protection in MBAE and leave the EMET protection in place; the free version doesn’t allow adding of processes or disabling of protections.

There are some Malwarebytes MBAE forum threads that try to address the tweaking of EMET more methodically.

Again, I managed to do that on Lavie’s Win 8.1 system and will eventually get around (probably) to either confirming the configuration for iexplore.exe in EMET 5.1 noted in the forum post above. Or I will find the combo that works on my Win 7 systems and post an update here as well.

In case you are curious to know if MBAE is actually protecting your system, they do offer a series of tests files you can use to trigger the MBAE protection alert for validation.

In case you are curious, while working on researching this post, I found a few notices that a new version of Malwarebytes Anti-Malware (2.1) will be on the way soon. It is currently available in a Beta form if you are daring.

I’m looking forward to the changes and promised performance improvements.

Finally, in case you are interested, the Vivaldi browser I’ve been crushing on lately isn’t included in the free-version of MBAE protection. Again, if I was using the paid version, I’m pretty sure I could add the exe file to the list manually to provide customized protection. I imagine it should play well as it is based on Chrome/Chromium which does get protected by MBAE via its chrome.exe host process coverage.

It still isn’t my primary web-browser but I enjoy the web-browsing experience the more I use it between releases.

So does Ars Technica! If you haven’t spent much time checking it out based on what I’ve been posting here (my #1 excitement…having a Chrome-like browser but with a true bookmark side-bar like Firefox) check out Scott Gilbertson’s wonderful review below.

I also depend on adware blocker add-ons. I totally get the whole argument about how blocking ads cuts into the revenue streams of many full-time bloggers who make their living by ad-generated revenue. However, I’ve also seen the carnage from malware delivered via malvertizing campaigns. That isn’t the fault (usually) of the blogger or web-site but I don’t like the idea of getting infected either. Also, I’m very, very unlikely to purchase a product seen via a web-ad. Word of mouth and in-depth product reviews from trusted bloggers are much more likely to encourage me to check out a product.

I digress…

So I cannot run an ad blocker in Vivaldi (as I do in my primary-use Firefox/Chromium browsers), and want to do so to ensure I have an additional layer of protection against a malvertizing-based attack.

I’ve got a lot to learn about Ad Muncher, but the gist is that it runs on your system, sitting in the system tray, and can cover ad-blocking in any web-browser (without needing to be an add-on extension).

The program is highly configurable and you can add all kinds of extra tweaks and custom filtering.

It does sit as a local-system proxy-of-sorts for your browser web-traffic, so if you are concerned be aware of that and take some time to read the extensive Ad Muncher v4.72 and newer help page for all the technical details. Also, don’t forget it is running as a proxy of sort as that could through off your troubleshooting a bit.

It’s not a good sign when the help desk starts getting calls from users asking why IT is trying to remote to their systems with a new “VNC” product. It’s especially not good when IT doesn’t use that product and is not making blanket network connections to our customers. Someone better tell the little Dutch boy to go stick his finger in the perimeter dyke!

Some users selected “OK” to allow the remote connection thinking it was the local IT shop. Most did not.

Data has been collected from the incident and I was able to identify some IOC’s to use to go back and search out other systems where users may have selected “OK” but didn’t call in afterward that they had taken the bait.

Looking at logs from some of those systems, it appears that although a remote connection window was presented to the user, the application logs register the inbound connection but do not indicate that a connection was successfully opened to the user’s system, despite the dialog window presentation and the user clicking “OK”. More research/incident-triage would be beneficial but the order came in to wipe/reimage these systems immediately so…there we are.

My guess (and without additional information it is just an educated guess) is that something got left open on the perimeter, an automated ip/port scan for VNC got by and triggered the local VNC responses seen. The actual mechanism and tool used remains unclear.

Here are some articles and links about VNC-type based attacks for my reference and review.

Dyre Targets More Websites - ThreatTrack Security Labs Blog – besides looking to steal banking credentials from infected systems, this variant now has expended to file hosting, job hunting, general commerce, and even some income tax service websites!

Mr. Zeltser offers a very interesting approach to preventing malware infection of a system. By using known infection-markers and loading them into a clean system, he can inoculate the system from infection. It uses the tendency of malware writers to check to see if a system is already compromised (or is virtualized) by looking at running processes, maybe registry keys, etc. If those indicators are present, they the payload delivery and infection gets skipped! The thought here is that if you know what those are, drop the safe “bits” around a system, then when the malware attack comes it “passes-over” the system and the system stays clean. Very clever indeed!

Credits

Why this? It is the simple blog of a Last Exile fan and is intended to express the enjoyment we derive from studio Gonzo's production. Although we closely relate with those characters, we aren't them in real life. We just want to keep the memory of these incredible young kids alive. So go buy Gonzo's Last Exile DVD's!